.. / CVE-2021-22205

Exploit for GitLab CE/EE - Remote Code Execution (CVE-2021-22205)

Description:

GitLab CE/EE starting from 11.9 does not properly validate image files that were passed to a file parser, resulting in a remote command execution vulnerability. This template attempts to passively identify vulnerable versions of GitLab without the need for an exploit by matching unique hashes for the application-.css file in the header for unauthenticated requests. Positive matches do not guarantee exploitability. Tooling to find relevant hashes based on the semantic version ranges specified in the CVE is linked in the references section below.

Nuclei Template

View the template here CVE-2021-22205.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2021/CVE-2021-22205.yaml

References:

https://hackerone.com/reports/1154542
https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/
https://nvd.nist.gov/vuln/detail/CVE-2021-22205
https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196

.. / CVE-2021-22205 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for GitLab CE/EE - Remote Code Execution (CVE-2021-22205)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2021-22205